Individual Authentication and Access Control
For purposes of this report, authentication usually refers to the process of establishing that a particular identifier (such as a login name) correctly refers to a specific party, such as a user, a company, or a government agency.
As applied to individuals, authentication serves two purposes:
• Ensuring that only authorized parties can perform certain actions. In many organizations, authorized users are granted a set of privileges—the system is intended to ensure that those users can exercise only those privileges and no others. Because certain users have privileges that others lack, someone who is not authorized to perform a given action may seek to usurp the authentication credentials of someone who is so authorized so that the unauthorized party can impersonate an authorized party. A user may be authorized by virtue of the role(s) he or she plays (e.g., all senior executives have the ability to delete records, but no one else) or by virtue of his or her explicit designation by name (Jane has delete access but John does not).
• Facilitating accountability, which is the ability to associate a consequence with a past improper action of an individual. Thus, the authentication process must unambiguously identify one and only one individual who will be held accountable for improper actions. (This is the reason that credentials should not be shared among individuals.) To avoid accountability, an individual may seek to defeat an authentication process.
In general, the authentication process depends on one or more of three factors: something you know, something you have, or something you are.
• Something you know, such as a password. Passwords have many advantages. For example, the use of passwords requires no specialized hardware or training. Passwords can be distributed, maintained, and updated by telephone, fax, or e-mail. But they are also susceptible to guessing and to theft.6 Passwords are easily shared, either intentionally or inadvertently (when written down near a computer, for example), and a complex, expensive infrastructure is necessary to enable resetting lost (forgotten) passwords. Because people often reuse the same name and password combinations across different systems to ease the burden
6 For example, in 2010, the most common passwords for Gawker Media Web sites were (in order of frequency) “123456,” “password,” and “12345678.” See Impact Lab, “The Top 50 Gawker Media Passwords,” December 14, 2010, available at http://www.impactlab.net/2010/12/14/the-top-50-gawker-media-passwords/.